CVE-2025-32451

HighPublic PoC

Published: 13 August 2025

Published

13 August 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32451 is a high-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Foxit Pdf Reader. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the specific uninitialized pointer vulnerability in Foxit Reader 2025.1.0.27937 to prevent exploitation.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms directly mitigate memory corruption from uninitialized pointer access, preventing arbitrary code execution even if the flaw exists.

CM-7 Least Functionality good match

prevent

Least functionality configuration disables JavaScript execution in PDF readers and browser plugins, preventing trigger of the crafted malicious code.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

RCE via crafted JS in malicious PDF enables drive-by compromise (plugin), client-side exploitation, and user-executed malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A memory corruption vulnerability exists in Foxit Reader 2025.1.0.27937 due to the use of an uninitialized pointer. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in…

arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Deeper analysisAI

CVE-2025-32451 is a memory corruption vulnerability in Foxit Reader version 2025.1.0.27937, stemming from the use of an uninitialized pointer. The issue is triggered by specially crafted JavaScript code embedded within a malicious PDF document, leading to memory corruption and potential arbitrary code execution.

Attackers can exploit this vulnerability by tricking users into opening a malicious PDF file, requiring user interaction but no privileges. Exploitation is also feasible if the browser plugin extension for Foxit Reader is enabled and the user visits a specially crafted malicious website. Successful exploitation grants high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), with the root cause mapped to CWE-824 (Access of Uninitialized Pointer).

Mitigation details are outlined in advisories from Talos Intelligence, available at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2202 and https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2202.